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Abstract —Recently, a new polynomial basis over binary ex¬ 
tension fields was proposed such that the fast Fourier transform 
(FFT) over such fields can be computed in the complexity of 
order 0(nlg(n)), where n is the number of points evaluated in 
FFT. In this work, we reformulate this FFT algorithm such that it 
can be easier understood and be extended to develop frequency- 
domain decoding algorithms for (n = 2 m ,fc) systematic Reed- 
Solomon (RS) codes over F 2 m ,m € Z + , with n — k a power of 
two. First, the basis of syndrome polynomials is reformulated in 
the decoding procedure so that the new transforms can be applied 
to the decoding procedure. A fast extended Euclidean algorithm 
is developed to determine the error locator polynomial. The 
computational complexity of the proposed decoding algorithm 
is 0(n\g(n — k) + (n — k) lg 2 (n — fc)), improving upon the best 
currently available decoding complexity 0(n\g 2 (n) lglg(n)), and 
reaching the best known complexity bound that was established 
by Justesen in 1976. However, Justesen’s approach is only for the 
codes over some specific fields, which can apply Cooley-Tucky 
FFTs. As revealed by the computer simulations, the proposed 
decoding algorithm is 50 times faster than the conventional one 
for the (2 le ,2 15 ) RS code over F 2 ie. 

I. Introduction 

Reed-Solomon (RS) codes are a class of block error- 
correcting codes that were invented by Reed and Solomon (TJ 
in 1960. An (n, k) RS code is constructed over F g , for 
n = q 1. Its extended version, called extended Reed- 
Solomon codes El, admits a codeword length of up to n = q 
or n = q + 1. The systematic version of (n, k) RS code 
appends n — k parity symbols to the k message symbols, 
forming a codeword of length n. RS codes are maximum 
distance separable (MDS). (n, k) RS codes can correct up to 
L(n — k)/ 2J erroneous symbols. Nowadays, RS codes have 
numerous important applications, including barcodes (such as 
QR codes), storage devices (such as Blu-ray Discs), digital 
television (such as DVB and ATSC), and data transmission 
technologies (such as DSL and WiMAX). RS codes are also 
used to design other forward error correction codes, such as 
regenerating codes ed fa and local reconstruction codes 0. 
The wide range of applications of RS codes raises an impor¬ 
tant issue concerning their computational complexity. More 
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specifically, since the practical implementations of RS codes 
are typically over binary extension finite fields, the complexity 
of RS codes over those fields has received more attentions than 
that over others 00. 

The conventional syndrome-based RS decoding algorithm 
has quadratic complexities. Some fast approaches 00 are 
based on FFTs or fast polynomial arithmetic techniques. How¬ 
ever, the structures of FFTs over finite fields vary with the sizes 
of fields F q . When q—\ is a smooth number, meaning that q —1 
can be factorized into many small primes, the Cooley-Tucky 
FFT in 0(nlg(n)) field additions and field multiplications 
can be applied. A conventional case involves choosing Fermat 
primes q £ {2 m + l|m = 1,2,4, 8,16}. Based on such FFTs, 
Justesen 0 gave an 0(n lg 2 (n)) approach for decoding (n, k) 
RS code over ¥ 2 ^+ 1 . Another approach to solve the key 
equations of BCH codes was proposed by Pan Col, and it 
reduces a factor of lg n when the characteristic of the field 
is large enough. However, the algorithm CCD does not have 
improvement for the codes over binary extension fields. If 
<7 — 1 is not smooth, Cooley-Tucky FFTs are inapplicable. 
In this case, the FFTs over arbitrary fields ED El can be 
applied and it requires 0(nlg(n) lglg(n)) field operations. 
Gao 0 presented an 0(nlg 2 (n) lglg(n)) RS decoding algo¬ 
rithm over arbitrary fields, by utilizing fast polynomial multi¬ 
plications im Further, for the codes over F 2 m, the additive 
FFT m, that requires 0(n lg(n) lg lg(n)) operations, can be 
applied to reduce the leading constant further. To authors’ 
knowledge, the additive FFT M is the fastest algorithm over 
F 2 m so far. 

As RS codes are typically constructed over binary extension 
fields, we consider this case in this paper. Clearly, if one 
wants to remove the extra factor lglg(n) in the RS algorithms 
over binary extension fields, the FFTs in 0(nlg(n)) are 
required. Recently, Lin et al. 02) showed a new way to solve 
aforementioned FFT problem. The paper m defined a new 
polynomial basis based on subspace polynomials over F 2 m. 
For a polynomial of degree less than h in this new basis, 
the /i-point multipoint evaluations can be made in 0(h\g{h)) 
field operations. Based on the multipoint evaluation algorithm, 
encoding/erasure decoding algorithms for (n, k) RS codes lfT5l 
were proposed to achieve 0(n\g(n)). However, the error- 
correction RS decoding algorithm based on the new basis was 
not yet provided. 

This paper develops an error correction decoding algorithm 
for (n = 2 m , k) RS codes over F 2 m, for k/n > 0.5 and ( n—k ) 


1 


a power of twoQ In practice RS codes usually have rates 
k/n > 0.5. The complexity of the proposed algorithm is given 
by 0{n\g{n — k) + (n — k) lg 2 (n — k)). Holding constant the 
code rate k/n yields a complexity 0{n lg 2 (?z)), which is better 
than the best existing complexity of 0(n\g 2 (n) lglg(n)), that 
was achieved by Gao 0 in 2002. The algorithm is based 
on the non-standard polynomial basis El- To embed the 
new basis into the decoding algorithm, we reformulate the 
decoding formulas such that all arithmetics are performed on 
the new basis. The key equation is solved by the Euclidean 
algorithm, and thus the fast polynomial divisions, as well 
as the Euclidean algorithm in the new basis are proposed. 
Finally, we combine those algorithms, resulting in a fast error- 
correction RS decoding algorithm. The major contributions of 
this paper are summarized as follows. 

1) An alternative description of the algorithms m for the 
new polynomial basis is presented. 

2) An 0(hlg(h)) fast polynomial division in the new basis 
is derived. 

3) An 0{h\g 2 (h)) fast half-GCD algorithm in the new 
basis is presented. 

4) An 0(n\g(n — k)) RS encoding algorithm is presented, 
for n — k a power of two. 

5) A syndrome-based RS decoding algorithm that is based 
on the new basis is demonstrated. 

6) An 0(n\g(n — k) + (n — k ) lg 2 (n — k)) RS decoding 
algorithm is presented, for n — k a power of two. 


Notably, lfl5l gave the encoding algorithms for RS codes with 
the complexity 0(n lg (k)), for k a power of two. The encoding 
algorithm El is suitable for coding rate k/n < 0.5; however, 
the proposed encoding algorithm in this work is suitable for 
k/n > 0.5. 

The rest of this paper is organized as follows. Section [II] 
reviews the definitions of the polynomial basis. The multi¬ 


point evaluation algorithm is provided in Sec. Ill Section IV 


provides an alternative polynomial basis that is constructed 
using monic polynomials. The polynomial operations that are 
used in the encoding/decoding of RS codes are explicated. 
Section |Y[ presents the fast extended Euclidean algorithm that 
is based on the half-GCD method. Section [VI] and Section [VHl 
introduce the algorithms for encoding and decoding RS codes. 
Section |VIH| presents simulations and draws conclusions. 


where v & = (vo, Vi,..., Vk-i) is a basis of space 14, and 
k < m. We can form a strictly ascending chain of subspaces 
given by 

{0} = Vo C 14 C 14 C ■ ■ ■ C = f 2 ™. 

Let {wj 2 =0 _1 denote the elements of F 2 ™. Each element is 
defined as 


u>i — io ■ vq + i\ ■ Vi + ■ ■ ■ + i m _i • v m -\, 


where ij £ {0,1} is the binary representation of i. That is, 

i = io + *i • 2 -I-+ tm-i • 2 m S {0,1}. 

This implies that 14 = {w,} 2 = o \ for k = 0,1,... ,m. Note 
that wo = 0 is the additive identity in the filed. In this work, w>o 
and 0 will be used interchangeably when there is no confusion. 
The subspace polynomial mm\m of 14 is defined as 

SfcO) = O “ a )’ (2 ) 

flGVfe 

and it is clear to see that deg(sfc(x)) = 2 k . For example, 
soO) = x, and s 2 (x) = x(x — vq)(x — Vi)(x — Vq — v\). The 

properties of s^( x) are given in OH Ill- 

Theorem 1 (El HI). (i). Sk(x) is an F 2 -linearlized polyno¬ 
mial for which 

k 

'Sfc('t') — ^ ) &k,iX , (3) 

i=0 

with each Sk,i £ ¥ 2 ™- This implies that 

Sk(x + y) = Sfc( x) + Sk(y),Vx,y £ F 2 ™. (4) 


(ii). The formal derivative of Sk(x) is a constant 

40) = a ' (5) 

aG Vfc\{0} 

The recursive form El of subspace polynomials is given 


by 


SoO) = x\ 

Sj O) = Sj-lOOi-lO - Vj- 1) 

=(s;-iO)) 2 - Sj-iOj-i)sj-iO) J = 1,2,... ,m. 


( 6 ) 

(7) 


II. Polynomial basis in ¥ 2 ™{ x \/ x 2m - x 

This section reviews the subspace polynomials over F 2 m, 
and the polynomial basis defined in El- 

A. Subspace polynomial 

Let F 2 rn denote an extension finite field with dimension m 
over F 2 . Let v = (vq,vi, ... ,u m _i) denote a basis of F 2 m. 
That is, all Vi £ F 2 ™ are linearly independent over F 2 . A 
fc-dimensional space 14 of F 2 ™ is defined as 

14 = Span(T fc ) 

={*o ■ v 0 + i\ ■ vi 4-h ik—i ■ v k -i\Vij £ {0,1}}, 

'There are many (n, /::) can be chosen when n = 2 m , k = 2 m — 2 1 , where 
t < m. 


B. Polynomial basis 

Let X = {Xq{x),Xi(x), ..., X 2m _ 1 (x)} denote a basis of 
¥ 2 ™[x\/(x 2 — x). Each Xi(x) is defined as 

X i (x)=X i (x)/p i , (8) 

where 

m —1 m— 1 

x i ( x )=n Ofo)o> Pi =n Of00O) ( 9 ) 

j =0 2 =0 

and each ij £ {0,1} is the binary representation of i. Notice 
that (sj(x))° = ( Sj(vj ))° = 1. For example, Xq(x) = 1, and 
X 3 (x) = X 3 (x)_/p 3 = {sq(x)s 1 (x))/(s q (v 0 )s 1 (v 1 )). It can be 
seen that deg(Xj(a;)) = i, and thus the basis X can represent 
all elements in F 2 m[x]/(x 2 — x). 
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Algorithm 1 Transform of the basis X 


Input: FFTx(£> 2 /b, k, 0): D 2 k = (do, d \,..., d 2 k_ i), k is the 
binary logarithm of size, and f3 £ F 2 ™ 

Output: 2 fc evaluations D 2 k = (d 0 ,d 1} ... ,d 2k _ i), where 
each dj = D 2 k (coi + /3) 


if k = 0 then return do 
end if 

for i = 0,..., 2 fe_1 1 do 

Si 0) <-di + s s k k _;^ ) _ l) d i+2 *-i 

ffi ^ 9i ^ + ^i+2 fc - 1 

end for 

Call F 0 <- FFT 1 (^° fe ) _ 1 ,fc - l,/3), where 


( 0 ) _ 


B: Call F <- FFT^D^l, , k-1, v k -i+0), where = 

(fl , o 1) > — j 52fc-i_i) and V i = (d 2 k,---,d 2 k_ i) 

9: return D 2 fc = (do,di, • • • ,d 2k _ 1 ) 


Algorithm 2 Inverse transform of the basis X 

Input: IFFTxCD 2 fc,fc,/3): D 2k = (d 0 ,d 1: ■ ■ ■ ,d 2k _f), where 
each d t = D 2 k(uji + 0), k is the binary logarithm of size, 
and [3 G F 2 ™ 

Output: D 2 k = (do,d\,... ,d 2 k_ 1 ), the coefficients of 

D 2 k(x ) 


1 : 

2 : 

3: 

4: 

5: 

6 : 

7: 

8 : 

9: 


if k = 0 then return d 0 
end if 

Call D^_, <- IFFTxCFo ,k - 1,0), where F 0 = 

(do, ■ ■ .,d 2k -i_ i) and = (g^ 0) ,.. .,g ( ° k ] _ 1 _ 1 ) 

Call D ( ^_, <- IFFTx(Vi, k - 1, v fc _i + 0), where F = 
(d 2 k,.. .,d 2 k_ i) and = (g^ ] ,... ,g 2 J- 1 _ 1 ) 


for i = 0,..., 2 fe_1 - 1 do 

dj +2 k-i <- 5j ( 0) + g 4 (1) 

^ «- 5i 0) + 

end for 

return D 2 k = (do, di, • • ■, d 2 fe -i) 


A polynomial Di l (x) of degree /i in the basis X is repre¬ 
sented as 


h-l 


Dh(x) — ^ ) djXj(x(, 


( 10 ) 


i —0 


divided into two subsets 

D 2 k(Vk+/3) = D 2 k(Vk-i+fi)UD 2 k(Vk-i+Vk-i+/3)- ( 11 ) 

The algorithm relied on the following lemma. 


with each di G F 2 >n. Throughout this paper, Dh = 
(do, d\,..., dh-i) is used to indicate the vector of the co¬ 
efficients of Dh(x). Due to the fact deg(A,(a;)) = i, the new 
basis possesses the following properties. 

Corollary 1. Given a polynomial f(x) G F 2 m [x\/(x 2m — x) 
respectively expressed in the monmial basis and X 

/(*) = E fi 0)xi = E 

i=0 i =0 

the following properties hold. 

1 ) // 0> = fi ±] = 0 , for i > h + 1 . 

O', fC 1 ) _ AO) 

Jh — Jh ' Ph- 

3) For 0 < j < h, (fj, fj+i, • • •, fh) is determined by 
(fj°\fj +D ■ • •, fh } ), and vice versa. 

III. Multipoint evaluations at F fc 

For any polynomial f(x) and a set F, let the notation /(F) 
denote a set of evaluation values /(F) = {/(a)|Va G V}. 
ED gave a recursive algorithm in 0 ( 2 fe lg( 2 fe )) to calculate 
D 2 k(Vk + 0), where 

V k + 0 = {a + 0\a G V k } for any 0 G F 2 ™. 

In this section, we describe the algorithm ns in another view¬ 
point, which helps us to develop encoding/decoding algorithm 
for RS codes. 

The set of evaluation points can be divided into two indi¬ 
vidual subsets 

Ffc + 0 = (V k -i + 0) U (Vk ~i + Vk —i + 0), 

where (Vk-i+Vk-i+ 0) is the coset of (Vk-i+0) by adding 
Vk- 1 - Accordingly, the set of polynomial evaluations can be 


Lemma 1. Given 7 G F 2 ™ and a polynomial D 2 k(x) G 
F 2 m [x\/(x 2 — x) in the basis X, we have 


D 2 k (a + 7 ) 

2 k-l_ 1 

= E ( d * + 

i=0 

for each a G Vk- 1 . 


Sfc-i(7) 
s k-l( v k-l ) 


di+2 k ~ 1 


)Xi(a + 7 ), 


( 12 ) 


Based on Lemma [I] the algorithm to compute © is 
described below. By substituting 7 = /3 into © we obtain 

D 2 k (a + 0) 


— E (^ + 


Sk —1(0) , \ y / . n\ 

-di+ 2 k-i )Xi(a + 0) 


i=0 

-)fc — 1 


Sk-l(vk-l) 


2 —1 

= gf ) X i (a + 0) = Dgl 1 (a + 0) Va G V k - U 

i =0 

(13) 

where each 


5j- 0) = di + 


Sk - i ( 0 ) j 

7 T“i+ 2* : - 1 

s fc _i(t;fc_i) 


i = 0 , 1 ,..., 2 fc_1 — 1 . 


(14) 

This converts D 2 k(Vk~i + 0) into Df > k _ 1 (Vk-\ + 0). Further¬ 
more, by substituting 7 = Vk-i + 0 into ©, we obtain < p~5] ), 
where each 


9? ] = gf + d i+2 k-i i = 0,l,..., 2 fc - x - 1 . (16) 

This converts D 2 k(V k -i+v k -i+0) into D$_ 1 (Vk-i+v k -i + 

13 ). 

From © ©, the set of evaluation points © can be 
expressed as 

D 2 k(V k +0 ) 

=.D 2 E C^fe—l + 0 ) U -D^-i(Fc_i + Ufe_i + 0 ). 
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(17) 



















(b) The inverse transform 

Fig. 1. Data flow diagram of proposed 4-poiont transform and its inversion. 


By comparing ( fTT) and ( fl7] l, the degrees of both polynomi¬ 
als are reduced one-half (the number of terms are reduced from 
2 k to 2 fc_1 ). The complexity of obtaining both polynomials 
are discussed below. In & each coefficient g, takes an 
addition and a multiplication, except if Sk-i(P) = 0, then 
gi = di without any arithmetic operations. However, we do not 
consider this exception here, because the reduction from those 
exceptions is limited. As 1 (x) has 2 fc_1 coefficients, it 
takes a total of 2 fe_1 additions and 2 fe_1 multiplications to 
obtain them. In ( p~5j ), calculating each coefficient g, + d i+2 k- 1 
takes an addition, so it takes a total of 2 fc_1 additions to obtain 
the coefficients of D < ^_ 1 (x). 

This procedure can be applied recursively to each set 
D^}_i(Vk-i + P) and D^Y^Vk -1 + v k -i + P) until the 
size of each set is one. With the divide-and-conquer strategy, 
the additive complexity and the multiplicative complexity are 
respectively written as 


A{h) = 2 x A(h/2) + h, M(h) = 2 x M(h/2 ) + h/2, 

and the result is A(h) = h\g{h) and M(h) = h/2\g{h). 
Algorithm |T| depicts the details of the recursive approach, 
denoted as FFTj(», k, p). 

The inverse FFT can be obtained by backtracking FFT 
given above. As opposite to CZf the inverse transform get 
the coefficients of D^}_ 1 {x) and D^l-i (x), and the objective 
is to find the coefficients of f)-,k (x). We reformulate ( fl6| ) and 
( fl4| ) as 


j (o) , (1) 

d i+2 k-i = g\ +gl\ 



Sk-l(P) 


d i+ 2 k- x 


* = 0 , 1 ,..., 2 fe_1 — 1 . 
( 18 ) 


From we can compute the coefficients of D 2 k(x). The 
coefficients of D^}~i (x) and D^k-i (x) can be obtained by ap¬ 
plying the inverse transform recursively. The details are shown 
in Algorithm]^ Note that IFFT Z (». k. 3) denotes the inverse 
transform. Algorithms [I]and[2]use the same notations such that 
one can follow them easily. It is clear that both algorithms have 
the same number of arithmetic operations. Figure [T] showed 
an example of the proposed algorithm and its inversion. The 
input polynomial is defined as D(x) = Y^l=odiXi{x), and 
the output is given by Di = D{uji + /?), for i = 0,1, 2,3. 


D 2 k (a + Vk-i + P) 

2 k ~ 1 _1 


(A i S k-l( v k-l + P) J \ \r f . ,M 
/ y {di H--- y— -^— d i+2 k~i)Ai{a + v k -i + P) 


i=0 


= Y, & 


Sk-l{Vk-l ) 

-d i+2 k-i + d i+2 k-i)Xi{a + Vk-i + P) 


i=0 


S k - l{v k -l) 


( 15 ) 


— + d i+2 k-i)Xi{a + Vk-\ + P) 


t=o 

2 fe—1 —1 


YL di Xi(a + Vk-\ + P) — D\k- ± {a + Vk-i + P) Va € V k -i, 


i=0 
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IV. Polynomial basis with monic polynomials and 

ITS OPERATIONS 

In this section, we define an alternative version of the 
polynomial basis, and its algorithms to perform multiplica¬ 
tions, formal derivatives, and divisions on the new basis. All 
these operations will be used in the coding algorithms. The 
alternative basis is defined as 

X = {X 0 (a:),Xi(iE),.. .,X 2 m_ i(at)} 

in F 2 ™ [x]/(x 2 — x), where each Xi(x) is given in (|9|. 

This implies that each Xi(x) is a monic polynomial. For any 
Dh-i(x) € ¥ 2 ^\x\/(x 2 — x ), the basis conversion between 

X and X requires only h multiplications/divisions: 


h -1 


h -1 


D h -i{x) = y d, ■ Xi(x) = Y —Xi(x). 


(19) 


i=0 


i=0 


( 20 ) 


( 21 ) 


( |45| >. The objective of these multiplications are to align the 
results such that the desired polynomial can be extracted 
properly. 

Let Q(A(:r),*) denote the quotient of dividing A(x) by 
Si(x), where A(x) is in the basis X and deg(A(a;)) < 2 I+1 . 
Precisely, for a polynomial of degree h < 2* +1 , 


h -1 


2’-l 


h-1 


A(x) = Y aiXi(x) = Y, a i x i{ x ) + Y, a i x i( x ) 


i =o 
2 i — l 


1=0 1 = 2 i 

h-1 


( 22 ) 


Pi 

With the linear-time basis conversion, the multipoint evalua¬ 
tion in X (Algorithm [lj can also be applied on X, and the 
complexity is unchanged. 

To simplify the notations, in the rest of this paper, the 
polynomials are represented in X. For D 2 k (x) in X, the 
evaluations at 14 + /3 = {w, + /3}f = g 1 is denoted as 

FFT x (D 2 k,k,/3) 

=(D 2 k (w 0 + P),D 2 k (cui + /3),..., D 2 k (u] 2 k-i + /?)), 

and the inversion is denoted as lFFTx(D 2 k,k, /3). Based on 
Algorithm [I] the transforms are defined as 

FFTx(D 2 f= ,k, (3) = FFTx;(£) 2 fc 0 P 2 k , k, /3), 
IFFT x (D 2 k , k, /3) = IFFT t (D 2 k ,k,P)<2) P 2 k, 

where P 2 k = (po,Pi, ■ • ■ ,P 2 k -i)- The operation ® is the 
pairwise multiplication on two vectors, and the operation 0 
is the pairwise division. Since the multiplication and formal 
derivative in X are similar to those given in |[T5l . we summa¬ 
rize them in Appendix [A] for completeness. Next we present 
the algorithm for polynomial division that is essential for 
decoding of RS codes. 

A. Polynomial Division 

In this subsection, we proposed an 0{h\g(h)) polynomial 
division in the basis X. The proposed algorithm is based on 
Newton iteration approach that was used by the fast division 
algorithms in the standard basis lfl3l with 0(hlg(h)), if 
0(h\g{h)) FFT exists. However, since our basis is different 
from the standard basis, some moderate modifications are 
required. 

As compared with the conventional fast division ED, 
the proposed approach has two major differences. First, the 
conventional fast division shall reverse the coefficients of the 
divisor B(x) upon performing the Newton iteration. However, 
in our basis X, the polynomial reversion cannot be applied. 
Thus, the proposed algorithm does not reverse the polyno¬ 
mials, and all operations are performed on the polynomials 
without reversions. Second, the proposed algorithm includes 
some specific multiplications that are not required in the 
conventional approach, such as X y {x) in ([28]) and si(x) in 


= Y a l X l( x ) + s i ( x ) Y a l X l~2 i { x )- 

1=0 Z=2 i 

The quotient of dividing A(x) by Si(x) is then 

h—l—2 i 

Q{A(x),i)= Y ai +2 iXi(x). 

1=0 

In general, given a dividend a(x) and a divisor h(x), the 
division is to determine the quotient Q(x) and the remainder 
r( x) such that 


a(x) = Q(x) ■ b(x) + r(x), 


(23) 


where deg(r(a:)) < deg(&(a;)) — 1. Without loss of generality, 
we consider the case 


deg(a(cc)) > deg( 6 (x)) > 0 . 


(24) 


The proposed algorithm firstly finds out the quotient Q(x), 
and then the remainder is calculated by 


r(x) = a(x) — Q(x) ■ b(x). 


(25) 


In the following, we focus on the algorithm to determine Q(x). 
Let 

y = 2 De — deg( 6 (x)) - 1 , (26) 

where 

D t = |”lg(deg(a(x)) + 1)]. (27) 

To begin with, ( |25| l is multiplied by X y (x) to obtain 

r(x) ■ X y (x) = a(x) ■ X v (x) — Q(x) ■ b{x) ■ X y {x). (28) 
To simplify the notations, let 

R(x) = r(x) ■ X y (x), 

A(x) = a(x) ■ X y (x ), (29) 

B(x) = b(x) ■ X y (x). 

Then we have 

R(x) = A(x) — Q(x ) • B{x). (30) 

Next we present a method to determine Q(x) from 
Assume that there exists a polynomial A(x) such that 


where 


and 


A(x) • s i(x) • B(x) = sD a (x) + H(x), (31) 


deg(iT(x)) < deg{B(x)) + 1 = 2° e , (32) 


D a = [lg(deg(A(x)) + 1)]. 


(33) 
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The algorithm to find out A(x) will be addressed in Sec¬ 
tion IV-B Before determining Q(x'), we first present two 


lemmas whose proofs are given in Appendix [B] 

Lemma 2. 

D a = Di + 1. 


(34) 


From ( |3TT > and Lemma |2j the degree of A(x) is thus 
deg(A(x)) 

= deg(s Da (®)) - deg (B(x)) -deg(si(x)) (35) 
—2 Da - ( 2 De - 1) - 2 = 2 Df - 1. 


After obtaining A(x), © is multiplied by A(x) • si(x) to 
obtain 

i?(x)-A(x)-Si(x) 

=A(x) ■ A(x) ■ si(x) — Q(x) ■ B(x) ■ A(x) ■ si(x) 

By ( f3l] >, we have 

R(x) ■ A(x) ■ s i(x) 

=A(x) ■ A(x) ■ si(x) - Q(x) ■ (s Da (x) + H(x)) 

and then 

Q(x) ■ H (x) + R(x) - A(x) ■ si (x) 

=A(x) ■ A(x) • si(x) — Q(x) ■ S£ > a (x). 

Lemma 3. The left-hand side of © has degree 

deg (Q(x) ■ H(x) + R(x) ■ A(x) • si(x)) < 2 Da — 1 . (38) 


In ( |37j ), Q(x)-SD a ( x ) is a polynomial where the coefficients 
of Q(x) starts from X 2 o a (x) = sjy a (x). By Lemma [3] the 
degree of the left-hand side is no more than 2 Da — 1. Thus, 
A(x) • A(x) • si(x) has quotient Q(x) starting on degree 2 Da , 
and hence the quotient can be obtained by 


Algorithm 3 Polynomial divisions in X 
Input: A dividend a(x) and a divisor b(x), with deg(a(x)) > 
deg(6(x)) > 0 

Output: A quotient Q(x) and a remainder r(x), such that 
a(x) = Q(x) • b{x) + r(x). 

1: Compute 

A{x) = a(x) ■ X y (x), 

B(x) = b{x) ■ X y (x), 

where y is defined as ( |26| ). 

2: Find A(x) such that ( f3T| ) holds. 

3: Compute Q{x) by ( [39) . 

4: Compute r(x) by ( |25) . 

5: return Q(x) and r(x). 


the updated polynomial Aj(x) of degree 2* — 1 is calculated 
from Aj_i(x). The initial polynomial is 

Ao (x) = b~ d \ (41) 

Let Bd ( {x) = B(x), and 

Bi(x) = Q(B i+1 (x),i) i = Q,l,...,D e -l. (42) 

© can be rewritten as 

-B i+1 (x) = Bi(x) ■ Si (x) + Bi(x), (43) 

where Bi(x), deg {Bf) < 2 l — 1, is the residual. Clearly, 
deg(Bj(x)) = 2® — 1. 

For * = 1,2,..., D(, Aj(x) is defined as 

Ai(x) = Q((s l _i(x)) 2 • Aj(x ),i + 1), (44) 


Q(x) = Q(A(x) ■ A(x) • Si(x),D a ), (39) 


In ( [39] ), we have 

deg(A(x)-A(x)-si(x)) < 2 D °-+2 De ~ 1 +2 = 3-2 D ‘+l. (40) 


Algorithm [3] shows the steps of the division algorithm. The 
complexity is analyzed below. In Step 1, as deg(A(x)) = 
deg(a(x)) + deg(y(x)) < 2 Dt+1 and deg(f?(x)) = 

deg(6(x)) + deg(y(x)) = 2 De — 1, the complexity is 
0{2 D ‘ +1 lg(2 D < +1 )) = 0(2 D ‘lg(2 Dt )). In S tep 2 we will 
show that 0(2° 1 lg(2 Df )) suffice in Section |IV-B In Step 
3, ( |40| shows that the complexity is 0( 2^ e lg(2 D< )). In 
Step 4, as the degrees of polynomials are less than 2 De , 
the complexity is no more than 0(2 De \g(2 De )). In sum¬ 
mary, Algorithm [ 3 ] has the complexity 0(2 Dc \g(2 Dl )) = 
G(deg(a(x)) lg(deg(a(x)))). 


B. Determining A(x) given in © 

Given B(x) = w i* ; h ^d B 7 ^ 0, this subsection 

presents a method to find out A(x) in m Notice that 
ds = deg(A(x)) = 2 De — 1 . The proposed method can 
be seen as a modified version of the division with Newton 
iterations mm. 

The method iteratively computes the coefficients of A(x) 
from highest degree to lowest degree. For i = 0,1,..., /A, 


where 

A»(x) = (A*_i(x )) 2 • Bi(x) ■ si(x). (45) 

It can be verified that deg(A,(x)) = 2* +1 — 1 and 

deg(Aj(x)) = 2 1 — 1 holds. The validity of A(x) = Ao t {x) 
is supported as follows, where all proofs are given in Ap¬ 
pendix |B] 

Lemma 4. A j(x) possesses the following equality: 

A i(x) ■ Bi(x) ■ si(x) = s i+ i(x) + r»(x), (46) 

with deg(fi(x)) < 2 *. 

The following reformulation of ( |44) , that contains no poly¬ 
nomial multiplications, can be used to determine the complex¬ 
ity of calculating ©. 

Lemma 5. ( |44[ > can be rewritten as 

Ai(x) = A^(x) +Q(Af ) (x),i - 1) • Sj_i(ui_i), (47) 

where 

Af\x) = Q(Aj(x), *). 

Algorithm [4] depicts the steps. The algorithm repeats per¬ 
forming © and ( |44) (or ( [47] )) to obtain Ajj t (x), which is the 
desired output A(x). For the complexity, each iteration (lines 
3-4) calculates © and ( |44) . In ( [45] ), as deg(A,_i(x)) = 
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Algorithm 4 A(x) computation 


Input: A polynomial B(x) 

Output: A polynomial A(x) such that pTj ) holds, where 

deg(A(x)) = deg(B(x)) = 2 Dt — 1. 

Let A 0 (x) = b^. 
for i = 1 , 2 , ..., Du do 


Compute (|45i. 

Compute (44 1 (or ([47]), equivalently). 


end for 

return A De (x). 


2* _1 — 1, deg(Si(a:)) = 2 l — 1 and deg(sj(x)) = 2, the 

multiplications ( [45] ) requires 0(2 l lg(2*)). In ( |44| , Lemma 
[ 5 ] showed that the computation can be reduced to 0(2’) 
without polynomial multiplications. Thus, each iteration takes 
0(2 l lg(2 1 )) operations, and the complexity for the loop (line 
2-5) takes 

D e 

0{2 i lg(2*)) = 0(2 Dt lg(2 Df ))• 

i —1 

V. Extended Euclidean Algorithm based on 
Half-GCD Approach 

This section introduces the extended Euclidean algorithm 
that will be used in the decoding of RS codes. Given two 
polynomials a{x) = r_ i(x), b(x) = tq(x), and 

deg(6(x)) < deg(a(x)) < 2 9 , (52) 

Euclidean algorithm is a procedure to recursively divide 

17 - 2 ( 4 ) b y r k -i(x) to get 

r k -i{x) = q k {x) • r k - i(x) + r k (x), 

with deg(ffc) < deg(rfc_i). The procedure stops at rjv(x) = 
0, and rjv_i(a;) is the greatest common divisor (gcd) of 
a(x) and b(x). An extension version, namely extended Eu¬ 
clidean algorithm, calculates r k (x) with a pair of polynomials 
(uk(x),Vk(x)) in each iteration such that 

a(x) ■ Uk(x) + b{x) ■ v k {x) = r k (x). 

The (fc — l)-th step of extended Euclidean algorithm can be 
expressed as a matrix form 


Tfc- 2 (x) 


u k - 2 (x) 

Vk- 2 (x) 


a(x ) 

r k - i(x) 


u k ~ i(x) 

Vk-l{x) 


b(x)_ 


The next step is shown as 


r k -i(x) 


0 

1 


U k - 2 {x) v k - 2 {x) 


a(x) 

r k ( x) 


1 

-q k { x) 


Uk-l{x) Vk- l(x) 


b(x) 


(54) 

The half-GCD algorithm i20ll[L3l calculates the temporal 
result of extended Euclidean algorithm at s-th step such that 


deg(r s (a;)) < 2 9 1 - 1. (55) 

In this section, we present a half-GCD algorithm in basis 
X. This approach will be performed to solve the error locator 
polynomial (see (|76|)) in the decoding procedure of RS codes. 


Algorithm 5 Half-GCD algorithm 


Input: HGCD(a(a;),6(:r), < 7 ), where a(x),b(x) £ 

F 2 ™[x]/x 2m — x in basis X, and deg(6(x)) < deg(a(x)), 
2 9 - 1 < deg(a(x)) < 2 9 - 1 
Output: Two matrices (Z, M ) given in ( |58| ) 
l: if deg(6(x)) < 2 S_1 then return 


a(x) 
b(x)\ ’ 



0 

1 


2 : end if 

3: (Zh,M h ) ■(— HGCD(an(x), ba(x),g — 1) 

4: Compute 


2Mo(2;) 

zmi{x) 


Z-a ■ s g -i(x) + M h 


a L (x) 

bh{x) 


5: if deg(0Mi(*)) < 2 9 1 — 1 then return 


(48) 


(49) 


(■Z’m 


zmo{x) 
Zm l(x) 


,Mh). 


6 : end if 

7: zmo(x) is divided by Zmi(x) to get 


^mo(^) = <?m(z) ■ -mi (x) + r M (x) (50) 

with deg(rM(x)) < deg(zMi(a:)) < 2 9_1 + 2 9 ~ 2 - 1 . 

8 : 2 mi(®) an d xm{x) are divided into three polynomials, 
denoted as 


Zmi(x) 

=2M1Ll(z) + Sg- 2 (x)ZMlha{x) + Sg-i(x)ZMin(x), 

r M {x) 

=Xmll(x) + s g _ 2 (x)r MhK (x) + s g _i(x)rMn(x). 

Compute 


=^MlLH(a:) + (s g - 2 (x) + Sg— 2 ('Pg— 2 ))~M 1 h(®)) 
imm(i) 

=TmLh(®) + (s g - 2 (x) + Sg- 2 (Vg- 2 ))r M H(x). 

9: (Y m , M m ) <- HGCD(z M i M (x),r M M(x),g - 1) 

10 : return (Zr, Mr), where 


Mr = M m 


0 1 
l -qM(x) 


Mr, 


Zr = Lm • s g - 2 {x) + Mm 


Tmll(2:) 


(51) 


For polynomials in the monomial basis, there exist fast ap¬ 
proaches in 0{M(h)\g(h)) operations, where M(h) denotes 
the complexity of multiplying two polynomials of degrees 
h/2 (see lU3l Algorithm 11.6] or lfl9l Figure 8.3]). The idea 
comes from an observation that, the quotient q k (x) in 0 is 
determined by the upper degree part of r k ~i(x) and r k {x), and 
the lower degree part of r k -i(x) and r k {x) are not necessary. 
Fortunately, this observation is also applicable to our basis X. 

From the observation, we partition the inputs a(x) (and 
h(x)) into several portions, so that the procedure can be applied 
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on the portions of higher degrees. For the algorithms on 
monomial basis, it is simple to make such partitions. For basis 
X, we have to choose partition points at degrees X 2 g -2 ( x ) and 
X 2 g-i(x). Precisely, a(x ) is divided into three polynomials 
a^uix) and an(x) at s g - 2 (x) and s g _i(x), respec¬ 
tively. The representation is given by 


polynomial division, and this requires 0(h\g(h)) by using 
the fast division approach in Sec. [TV] Line 4 and line 10 
have polynomial additions and polynomials multiplications. 
As those polynomials have degrees less than h, the complexity 
is 0(h lg(7<)) by the results given in Appendix [A] In summary, 
the overall complexity is 


a(x) =a L (x) + s g _i(x)a,ji (x) 

=ahh(x) + s g - 2 {x)ai,n(x) + s g -i(x)an(x). 

Similarly, b{x) is partitioned in the same manner: 

b(x) =b L (x) + s g _i(x)& H (aO 

=bhh(x) + s g - 2 (x)b lh(z) + s g -i(x)bn(x). 

Algorithm [5] depicts the proposed algorithm 

HGCD(a(x), b(x), g), with deg(b(x)) < deg(a(x)) and 
2 9 ” 1 < deg(a(x)) < 2 9 — 1. The algorithm outputs two 
matrices 


(56) 


(57) 


X = 


zq{x) 

zi(x) 


such that 

1 ) 

2 ) 


and M = 


Z = M 


m 00 (x) TOoi(x) 
m 10 (x) mn(x) 


a(x) 

b(x) 


3) 


deg (z 0 (x)) > 2 9 1 , 
deg(^i(x)) < 2 9 ' 1 - 1; 

deg(mu(x)) < deg(a(x)) - deg(z 0 (x)); 


(58) 


(59) 


(60) 


(61) 


4) 

deg (m i0 (x)) < deg(mn(x)), 

(O Z) 

deg (nioi(x)) < deg(m u (x)), i = 0,1. 

Before proving the validity of Algorithm [5] we give the 
following Lemmas whose proofs are given in Appendix |B| 

Lemma 6. Algorithm [5] always outputs Z and M given in 
© that satisfy ( |59| >. 

Lemma 7. The recursive calls in HGCD(a(x), b(x), g) meet 
the requirements deg(6(x)) < deg(a(x)) and 2 9_1 < 

deg(a(x)) < 2 9 — 1. 

Lemma 8. Algorithm [5] always outputs Z and M given in 
© that satisfies ©. 

Lemma 9. Algorithm [5] always outputs Z and M given in 
© that satisfy © and ( |62| ). 

By the above Lemmas, we have 

Theorem 2. A Igorithm [5] is valid. That is, A lgo ri thinned ways 
outputs Z and M given in ( |58| > that satisfy the above four 
conditions. 


We determine the computational complexity as follows. 
The algorithm complexity is denoted as T{h) of polynomial 
degrees h = 2 9 . In step 3 and step 9, the algorithm shall 
call the routine twice, and it takes 2 • T(h/ 2). line 7 is the 


T(h ) = 2T(h/2) + 0(h\g(h)), and T(h) = 0(hlg 2 (h)). 

VI. Reed-Solomon encoding algorithm 

This section introduces an 0(n\g(n — k)) encoding algo¬ 
rithm for (n = 2 m ,k) RS codes over F 2 >n, with T = 2* = 
n — k a power of two. There exist two viewpoints for the 
constructions of RS codes, termed as the polynomial evalua¬ 
tion approach and the generator polynomial approach. For the 
polynomial evaluation approach, the message is interpreted as 
a polynomial u(x) £ F 2 ^[x]/(x 2 — x) of degree less than 

k. The codeword v = (vo, Vi, ..., v n -i) is defined as the 
evaluations of u(x) at n distinct points. 

Assume u(x) is in the basis X, and thus u(x) = 
Ui=o u iXj,(x). The vector of coefficients is denoted as 

u = (u 0 ,u i,.. .,u k -i,u 0 ,u)o,... ,w 0 ), (63) 

S -v-' 

T 

with T oj()S in the high degree part. Then the codeword can 
be computed via Algorithm |T] 

v = FF T |( u ,m,w 0 ). (64) 

However, ( |64| > requires 0(n\g(n)) operations, and the gen¬ 
erated codeword is not systematic. In the following, another 
formula with complexity 0(nlg(n — k)) is given, and the 
generated codeword is systematic. The inversion of ( |64| > is 
given by 

u = IFFTx(v,m, tu 0 ). (65) 

Note that, in ( |65) >. u has T ixqS in the high degree part (see 
(|63j)). To begin with, v is divided into a number of sub-vectors 

V = (v 0 , Vi, . . . , Vn/T-l), (66) 

where each v, has T elements defined as 

Vi = (vi. T , V\ +i . T , ■ • •, VT- 1 +i-r) i = 0,1,..., n/T - 1. 

Those sub-vectors can be proved to possess the equality given 
in the following lemma, whose proof is given in Appendix |B| 

Lemma 10. The following equality is hold: 

w 0 =IFFTx(v 0 ,f,w 0 ) + IFFTx(vi,f,w T ) + ■ ■ ■ 

+ IFFTx(v n/ / r _ 1 ,f, otfe), 
where + is the addition for vectors. 

( [67] > plays the core transform of the proposed algorithm. 
Assume Vo includes the parity symbols, and others {vj}"^ 1 
are the message symbols. From ©, the parity is computed 
via 

v' 0 =IFFTf(vi, f, u> T ) + IFFTf (v 2 , f, w 2 r) + ••■ 

+ IFFTx(v„/7’_i, t, ojk), (68) 

v 0 =FFTx(vq, t, u>o). 
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This algorithm requires a T-point FFT and (n/T - 1) 
times of T-point IFFT. Hence, the complexity of the encoding 
algorithm is 

0(T lg(T)) + (n/T - l)0(Tlg(T)) = 0(nlg(n - k)). 

VII. Reed-Solomon decoding algorithm 

This section shows a decoding algorithm for (n = 
2"'. k) RS codes over F 2 m , where the codeword v = 
(u 0 , ■ ■ -, Vn-i) = (u(tu 0 ), • • -, u(w„_i)) is generated by Sec¬ 
tion [Vl] The proposed algorithm follows the syndrome-based 
decoding process. Let r = (xq, ri,..., r n _i) = v + e denote 
the received vector with error pattern e = (eo, ei,..., e n _i). 
Hence, 

G = u(wj) + Si. (69) 

If e* / 0, is an erroneous symbol. Suppose e contains 
v < (n — k)/ 2 = T/2 non-zero symbols. Let 


In ( f75| ), the degree of each term is less than k = n — T = 
2 m — 2 4 , except for the last term X 2 m_- 2 t(x)st(x). Thus, the 
quotient of dividing s m (x ) by X k (x) would be s t (x). 

Based on above results, the new key formula is 

z 0 (x) = s(x)\(x) + q(x)s t (x), (76) 

with deg(z 0 (x)) < T/2. ( [76] ) is the key equation to find the 
error locator polynomial. 

To find X(x), extended Euclidean algorithm is applied on 
St(x) and s(x). The extended Euclidean algorithm stops when 
the remainder has degree less than T/2. After obtaining A(x), 
the next step is to find out the locations of errors E defined 
in m that is the set of roots of X(x). 

After obtaining E, the final step is to calculate the error 
values. The formal derivative of ( |73| l is 

u'(x) ■ X(x) + u(x) ■ X'(x) 

=r'(x ) • X(x) + r(x) ■ X' (x) + q'(x) ■ s m (x) + q(x). 


E = {a;* £ F 2 m|ej ^ 0} (70) 


denote the set of w, corresponding to locations of errors. Then, 
error-locator polynomial is defined as 

A(x) = (x-Ui). (71) 

uiiQE 


Let r(x) denote a polynomial of degree less than 2 m , with 
r (u>i) = £ F 2 ™ . It is clear to see that 


r(wj) • A (uji) 


0 if t Ji £ E; 

ri ■ A(tUj) if u}i£¥ 2 m\E. 


The above formula leads to 


u(wj) • A (ui) = r(uji) ■ A (uji) 

^>u(x) • X(x) = r(x) ■ X(x) (mod x — Ui) VtUi £ F 2 ™. 

(72) 

Due to 

2 m -l 

(x - U>i) = x 2 -x = s m (x), 

i =0 

( f72] > implies that 

u(x) ■ X(x) = f(x) ■ X(x) (mod s m (x)) 

=>u(x) • A(x) = r(a;) • A(x) + q(x) • s m (x), 

with deg(q(x)) < v < T/2. Given r(x), is the key 
equation (ZD ED to find out A(x), by applying the Euclidean 
algorithm on s m (x) and r(x). However, though ( [73] ) is similar 
to the key equation of the syndrome decoding, f (a;) is not the 
syndrome polynomial. To obtain the syndrome decoding, the 
new key formula is the quotients of dividing A(x) and s m (x) 
by X k (x). 

In this case, r(x) is divided into two parts 


r(x) = r 0 (x) + X k (x)s(x), (74) 

where ro(x) denotes the residual. Notably, if no error occurs, 
r(x) = u(x) of degree less than k, and hence s(x) = 0. Thus 
we can take s(x) as the syndrome polynomial. 

For s rn (x), the polynomial is recursively decomposed by 
0 to obtain <EU> 


By substituting 04 £ E into the error value is given by 


u(tUi) • X'(u>i) = r (uii) ■ X'(wt) + q(uti) 
=>u(wj) - r (uii) = Vwi £ E. 

A (Uli) 


(78) 


Notice that © uses q(x) to compute the error values, 
rather than z 0 (x) used in Forney’s formula. In summary, the 
decoding algorithm consists of four steps: 

1) Calculate syndrome polynomial s(x). 

2) Determine the error-locator polynomial A(x) from © 
by extended Euclidean algorithm. 

3) Find the error locations E. 

4) Calculate the error values via ( |78| . 

The details of each step is described below. In the first step, 
s(x) is the high degree part of applying IFFT on the received 
codeword r. However, since the high degree part is required 
only, we follow the same idea of the encoding formula ( |67| . 
In particular, the received codeword is divided into several 
individual parts r = (ro,ri,..., r n / T _ x ), where each r, : has 
T = 2 ( = n — fc elements. Then the syndrome polynomial is 
calculated by 


s =IFFTx(r 0 , t, loq) + IFFT x (ir, t, w T ) + ■■■ 
+ IFFTx(r„/ T _ 1; t, Wfc). 


In the second step, the fast Euclidean algorithm (Algorithm 
|5ji is applied on St(x) and s(x). Upon performing the Eu¬ 
clidean algorithm, we go a step by dividing s t (x) with s(x), 
resulting in 

s t (x) = q t (x) ■ s(x) + r t (x). 


Then call Algorithm [ 5 ] with inputs s(x) and rt(x) to obtain 


( 


Zo(x) 


_Zi(x) 

1 


U 0 (x) Vo(x) 
Ui(x) Vi(x) 


) <— HGCD(s(x),r t (x),T). 


Then we have 


z\ (x) = u\(x)s(x) + vi (x)r t (x) 

=>zi(x) = U\ (x)s(x) + vi (x)(s t (x) - q t (x) ■ s(x)) (79) 

=>zi(x) = vi(x)st(x) + (ui(x) - vi(x)qt(x))s(x), 
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and thus the error locator polynomial is given by 

AO) = uiO) - v 1 (x)q t (x). 

In the third step, the roots of X(x) can be searched via FFTs. 
The transform 

FFT x (A, T, Wj.r) (80) 

is to evaluate X(x) at V) + 0Ji-T- If the result vector contains 
zeros, then X(x) has some roots at the corresponding points. 
( |80| > is performed at i = 0,1,..., n/T — 1 to search the roots 
in F 2 771 ■ Notably, if deg(AO)) is larger than the number of 
found roots, the decoding procedure shall be terminated. This 
situation occurs when the number of errors exceeds Tj 2 . 

In the final step, we compute FFTx(q, T, w».t) and 
FFTx(A',T, Wj.t) (computing A'(x) is given in Appendix [a), 
for i = 0,1,..., n/T — 1. Then the error values are calculated 
via ( |78] >. 

To determine the computational complexity, the first step 
requires (n/T) times of T-point IFFT such that the complexity 
is n/T ■ 0(T\g(T)) = 0(n\g(n — k)). The second step takes 
0((n—k) lg 2 (n— k)) operations. The third step requires (n/T) 
times of T-point FFT, and thus the complexity is 0(nlg(n — 
k)). The final step requires a formal derivative of polynomial 
degree T, and at most 2 (n/T) times of T-point FFT. Thus, 
the complexity is 0(nlg(n — k)). In summary, the proposed 
decoding algorithm requires 0(n\g(n—k)+(n—k) \g 2 (n—k)). 

VIII. Concluding remarks 

In the simulations, we implemented the algorithm in C and 
compiled it in 64-bit GCC compiler on Intel Xeon X5650 and 
Windows 7 platform. For (n,k) = (2 16 ,2 15 ) RS codes over 
F 2 is, the program took about 2.22 x 10 ~ 3 second to produce 
a codeword. We tested a codeword with (n — k )/2 errors, and 
the decoding takes about 0.401 seconds. As for a comparison, 
we also ran the standard RS decoding algorithm li22l . that took 
about 22.014 seconds to decode a codeword. Thus, the pro¬ 
posed decoding is around 50 times faster than the traditional 
approach under the parameter configurations described above. 
In our simulations, the proposed RS algorithm is suitable for 
long RS codes. 

In this paper, we developed fast decoding algorithms for 
(n = 2 m , k) systematic Reed-Solomon (RS) codes over fields 
F 2 m,m £ Z + . The proposed algorithms are formed on a new 
basis X m. We reformulated the formulas of the syndrome- 
based decoding algorithm, such that the FFTs for the new 
basis can be applied. Further, the fast polynomial division 
algorithm is proposed. We made some modifications such that 
the Newton iteration can be applied to the new basis. The fast 


Euclidean algorithm was also given in this paper. Combining 
these algorithms, a fast RS decoding algorithm is proposed, to 
achieve the complexity 0(n\g(n — k) + (n — k) lg 2 (n — k)). 
By letting k/n a constant, the complexity can be written as 
0(nlg 2 (n)), that improves upon the best currently available 
decoding complexity of 0(n\g 2 (n) lglg(n)) 0. Although 
Justesen |8] had given the algorithm with the same complexity 
in 1976, it does not include the held F 2 ™, that can be 
recognized as the most important case in the real applications. 

The following we address some potential future works: 1. 
To remove the constraint (n — k) a power of two in the 
encoding/decoding algorithms. This will increase the values 
of n and k to be selected. 2. To generalize the algorithm 
to handle both errors and erasures. 3. To reduce the leading 
constant of the FFT approach. This will make the proposed 
algorithm more competitive for short codes. 
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Appendix A 

Polynomial muliplication and formal derivative 

ON NEW BASIS 

da showed the polynomial multiplication and formal 
derivative in X. We take the similar procedure to show the 
corresponding operations in X. 


A. Muliplication 

To multiply two polynomials, there exists a well-known fast 
approach based on FFT techniques. This approach can also be 
applied on the basis X over finite fields F 2 ™. Let a(x) = 
J2i=o a t ' Xi(x) and b(x) = 0 ^ ' X i(. x ) denote the two 

polynomials in X. Its product a(x) ■ b(x) (mod Si(x)) can be 
computed as 

IFFT x (FFT x (a, 0) ® FFT X ( 6 , 0), 0), 

where a = (ao, a±,... , ah-i, 0 ,..., 0) is a 2 l -point vector 
represents the coefficients of a(x) up to degree 2 7 — 1 . 
Similarly, b is defined accordingly. The operation (g) performs 
pairwise multiplication on two vectors. This requires one 2 7 - 
point IFFT, two 2 7 -point FFTs and 2' multiplications, and thus 
the complexity is 0(2‘ lg( 2 1 )). 


B. Formal derivative 

For a polynomial D 2 k ( x ) in X, we have 

2 fc —1 

D 2 k(x) = diXi(x) 
i =0 

2 fc_1 —1 2 fc —1 

= 'y ' diXi(x) + 'y ' diXi(x ) 

t=0 i-2 k ~ 1 

2 fc_1 —1 2 fc_1 —1 

= ^2 diXi(x) + s k -i(x) ^2 d i+2 k~iXi{x) 

i—0 i —0 

=d22i(x) + 8 k -l(x)D^_i(x). 

The formal derivative of D 2 k {x) is given by 

D' 2k (x) =[D { £>_i]'(x) + (g2) 

+ Sfc_i(a:)[£>^ ) _ 1 ] / (a;). 

From Theorem [l] s( c _ 1 ( x) is a constant. [i? 2 t- 1 ] , ( a ') anc l 
Sk-i(x)lD2 k )~iY{x) can be computed recursively. Let h = 2 k , 
and the recursive form of the complexity is written by T(h) = 
2 • T(h/2) + 0{h) and then T(h ) = <D{h lg(/i)). 
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Appendix B 
Proof of Lemmas 


A. Proof of Lemma [7] 

Proof From the definition, [)>>■ (x) can be reformulated as 


D 2 k(x) = 22 diXi(a 

i =0 

2 fc —1 _1 2 k — 1 

= '22 diXi(x)+ 22 diXi(x) 

i—0 i=2 k ~ 1 

r\k — 1 1 — 1 


2 —1 


2 —1 


= 22 d i x i( x ) + Sk \ 22 d i+2 k-iXi(x) 

7=k Sfc-iK-i) ^ 


i =0 

2 fc_1 — 1 


= 22 ( di + „ Sk s d i+2 k-i)Xi(x). 


1=0 


Sk- l{vk-l) 


From Theorem [I] given 7 £ F 2 ™ , we have 

s k -i(a + 7) =S/ C _i(a) + s fc _i(7) 

=s fe _i(7) Va £ Vk-i. 

From ([83| and (|84b, we have 


D 2 k (a + 7) 

2 fc_1 _ 

fJ 1 5 /c-i(« + 7)t \v-/ , \ 

— («i + ~- J2, -7^i+2 fc - 1 )^i( a + 7) 


2 — 0 


Sfc-lfafc-l) 


2 fc_1 _ 2 . 

= 22 (di + 7— ^di + 2fc- i )A^i(a + 7), 


2=0 


Sk-l{Vk-l) 


( 88 ) 


(83) 


C. Proof of Lemma [j] 

Proof ( |38| > is a summation of two terms. For the first term, 
we have 

deg(Q(x) • H(x)) 

< deg(Q(x)) + deg(.B(x)) + 1 (From (|32|)) 

= deg(A(x)) + 1 (From ( |3()1 )) 

= deg(a(x)) + y + 1 (From (129])) 

= deg(as(x)) + 2 Dt — deg (b(x)) (From ( |26| )) 

< deg(a(x)) + 2 Dl 

<2 Dl - 1 + 2 Dt (From ((27])) 

=2 Da - 1 . 

For the second term, we have 

deg (R(x) ■ A(x) ■ si(x)) 

= deg (r(x)) + y + 2 De + 1 

= deg(r(x)) + (2 De — deg( 6 (x)) — 1) + 2 Dt + 1 (From ( |26] >) 
=2 Da + deg(r(x)) - deg( 6 (x)) 

<2 Da - 1 . 


(84) This completes the proof. 


(89) 

□ 


(85) 


□ 


for each a £ 14_i. This completes the proof. 

B. Proof of Lemma [2] 

Proof From ( |33j ), we have 

Da 

= |"lg(deg(a(x)) + y + 1)1 

= rig(deg(a(a:)) + 2 D * - deg( 6 (x)))) ( 86 ) 

>[lg(2 Df + l)] (From @) 

=D e + 1. 

Moreover, 

D a =rig(deg(a(x)) + 2 Dl - deg(6(x)))] 

<rig(deg(a(x)) + 2 D ')] (87) 

<\lg(2 Dt + 2^)1 =D t + 1. 

(f86]>([87]) concludes that D a = D f + 1. This completes the 
proof. O. 


D. Proof of Lemma [7] 

Proof The proof follows mathematical induction. For the 
based case * = 0, ( [41] ) shows the following holds. 

A 0 (x) • B 0 (x) ■ si(x) = s i(x), 

and fg(x) = 0 . 

Assume ( |46| ) holds at i = j. That is, 

A j(x) ■ Bj(x) ■ si(x) = s j+1 (x) + fj(x), (90) 
which is multiplied by ( Sj(x )) 2 to get 


(sj(x)) 2 • A j(x) ■ Bj(x) ■ s i(x) 


(91) 


(92) 


=(sj(x)) 2 • s j+ i(x) + ( s-j(x )) 2 ■ rj(x). 

From (0, we have 

(Sj(x )) 2 • s j+1 (x) + ( Sj{x )) 2 • fj{x) 

=(sj+i(a ; )) 2 + Sj{v j )s j {x)s j+ i(x) + (sj(x)) 2 • rj(x) 
=s j+2 (x) + s j+1 (v j+1 )s j+1 (x) + s j (v j )s j (x)s j + i(x) 

+ (Sj(x)) 2 ■ fj(x). 

By (|92|)(|43|>, ( |9 1 [ 1 can be rewritten as 

Sj(x) ■ A j(x) ■ B j+ i(x) • si(x) = s j+ 2 (x) + vj (x), (93) 

where 

fj(x) =s J+1 (v j+1 )s j+1 (x) + s j (v j )s j (x)s j+ i(x) 

+ (Sj(x )) 2 ■ fj(x) (94) 

+ sj{x) ■ Aj{x) ■ Bj(x) ■ si(x). 

The degree of each term of fj(x) is 

deg(s J -+i(u3+i)sj+i(x)) = 2 J+1 , 
deg {s j (v j )s j (x)s j+1 (x)) = 2° + 2 J+1 , 
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deg((sj(a;)) 2 • r 3 (x)) < 2 J+1 + 2°, 


(95) 


(96) 


(By <©) 


(97) 


deg (sj(x) • A j(x) ■ Bj(x) ■ si(x)) 

<2 j + ( 2 j - 1 ) + (2? - 1 ) + 2 . 

Thus, we have deg(r,-(x)) < 2 9+1 + 2A 
When i = j + 1, from (|45}(|44}, we have 

Aj+i(x) = Q((sj(x) • A.,(x)) 2 • B j+1 (x) • s x (x), j + 2). 
The above equation can be rewritten as 

Aj +:l (x) • sj +2 (x) + f j+2 {x) 

={sj{x) ■ Aj(x)) 2 ■ B j+ i(x) • Si(x), 

where deg(fj_|_ 2 (x)) < 2 9+2 — 1. We then multiply ( |95j ) by 
Bj. |-i (x) • si(x) to obtain 

A j+i(x) ■ B j+ i(x) • si(x) • s j+2 (x) 

+ f j+2 (x) ■ B j+ i(x) • si(x) 

=(«i(x) • Aj(x) • B 3+ i(x) • Si(x )) 2 
=(sj+ 2 (x) +rj(x)) 2 
=(a, + 2 (x )) 2 + (f i (x)) 2 . 

([%} is then divided by Sj + 2 (x) to get 

A i+1 (x) • B j+ i(x) • si(x) = s j+2 (x) + fj- + 1 (x), 
where 

_ = (A,(x )) 2 - f i+ 2 (x) ■ B j+ i(x) • si(x) 

J+1 ’ s j+ 2 (x) 

In ( |97} , the degree of each term of deg(fj+i(x)) is as follows: 
deg((xj) 2 (x)) < 2 • ( 2 9+1 + 2 J ), 
deg(r j+ 2 (x) • -Bj+i(x) • Si(x)) 

<( 2 j+2 - 1 ) + ( 2 J+1 - 1 ) + 2 , 

deg(s i+ 2 (x)) =2 J+2 . 

Thus, deg(fj_|_i(x)) < 2 J+1 . This completes the proof. □ 

E. Proof of Lemma [5] 

Proof From ( |44| ). we have 

A i(x) 

=Q((s l _i(x )) 2 • Aj(x ),i + 1 ) 

=Q((sj(x) + Sj_i(i;i_i)si_i(x)) • Aj(x),i + 1) (From 0) 
=Q(s i (x)A i (x),i + 1 ) 

+ s»_i(ui_i) • Q(s i _i(x)A i (x),i + 1) 

(98) 

© has two terms, and we recalled that deg(Aj(x)) = 2 l+1 — 
1. Let 

A,(x) = A| 0) (x) + s i (x)Af ) (x), 

where both A^(x) and A^(x) have degrees no more than 
2 i - 1. Then 

Sj(x)Aj(x) 

=Si(x)(A- 0) (x) + s i (x)A- 1) (x)) 

=Sj(x)A- 0) (x) + (si(x)) 2 A- 1} (x) (99) 

=Sj(x)A-°^(x) + s i (x i )s l (x)A,| 1 } (x) 

+ s i+ i(x)Af ) (x). 


From ( |99| , the first term in ( |98| can be reformulated as 

Q(sj(x)Aj(x),f + 1) = Af } (x) = Q(Aj(x),i). 

With the similar step, it can be shown that the second stem 
can be formulated as 

s i _i(v l _i)Q(s i _i(x)A i (x),* +1) 
=Q(A,[ 1) (x),i - 1) • Sj_ 1 (^— 1 ). 

This completes the proof. □ 


F. Proof of Lemma [6] 

Proof. For the based case deg( 6 (x)) < 2 9_1 (see Algorithm]^] 
line 1), it is clear that (48} holds. 

Assume Algorithm[5 is valid for HGCD(a(x), b(x),j) with 
j < g — 1. When j = g, the degree of a(x) is between 2 9_1 < 
deg(a(x)) < 2 9 — 1. In this case, both a(x) and b(x) are 
divided into three individual polynomials as expressed in ( |56} 
and ( |57} . In line 3, HGCD(cih(x), bft(x), g — 1) is called to 
obtain (Zh,Mh), that possesses 


Z u = M h • 


a H (x) 

ba(x) 


Multiplying ( | 1 Q0[ > by s g - i(x) to obtain 
Z H • s s _i(x) = M h • s g _i(x) 
which is equivalent to 


a H (x) 

6 h (x) 


Zb. ■ s ff -i(x) + M h 


a L (x) 

bh(x) 


=M h 


s ff _i(x) • a H (x) + a L (x) 


L s s _i(x) • & H (x) + 6 l (x) 

By ((56} and ©, ([ 102 } becomes 

Zb • Sg-i(x) + M h 
T hen we have 


a L (x) 

— Mtt 

a(x) 

_&l(x) 

— M H 

b(x)_ 


zmo(x) 
^M 1 (x) 


= M h 


a(x) 

b(x) 


and Zm = Mh 


a(x) 

b(x) 


GOO) 


( 101 ) 


( 102 ) 


(103) 


(104) 


Note that Zmo(x) and zmi(x) are computed in line 4. ( |104| ) 
shows that (Zm, Mh) satisfies the equality, and thus the return 
in line 5 is valid. 

In line 7, Zmo( x ) is divided by z M1 (x) to get 


zmo(x) = qyi(x) ■ z M i(x) + r M (x), (105) 


with 

deg(r M (x)) < deg( 2 M i(x)). 

The matrix form of ([105} can be reformulated as 


z M i(x) 


'0 

1 

zmo(x) 

_7’ M (x) 


1 

-~qu(x)_ 



(106) 


(107) 
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Then and tm(x) are decomposed into several polyno¬ 

mials as 
Zmx{x) 

=2mill(z) + Sg_ 2 (a:)zMiLH(a;) + Sg_i(:r)2MiH(2;) 

=^M1Ll(*) + Sg- 2 (*)“M1LH(2 ; ) 

+ Sg_ 2 (x)(Sg_ 2 ( x) + Sg_ 2 (Vg_ 2 ))z M lH(a;) 

=^mill(^) + Sg_ 2 (a:)^MiM(a:), 

where 

^mimOe) 

= ZM1LH(2;) + (Sg- 2 (x) + Sg_ 2 (Vg_ 2 ))0 M lH(^)- 

Similarly, 

r M (x) = r M hh(x) + s g - 2 (x)r M m(z), 

where 

fMM (x) 

= fMLH [x) + (Sg_ 2 (a;) + Sg_ 2 (ug_ 2 ))r M H(a;). 

■Zmim(^) (and 7 'mm(®)) can be treated as the quotient of 
dividing (and rM(a;)) by s g - 2 {x). By ( | 106| >, this 

implies 

deg(r M M(a:)) < deg(z M iM(a;))- 


(108) 

(109) 

(HO) 

(111) 


Line 9 calls HGCD( 2 mim (£),9 ~ 1) t0 obtain 
( 1 m,M m ) possessing 

-2M1m(z) 


Ym = M m 


rMM(i) 


( 112 ) 


Multiplying \\\2) by s g - 2 {x) to obtain 


Y m ■ Sg_ 2 ( x) = M m ■ s g _ 2 (x) 


>~mm(x). 


(113) 


By adding 


^MLlX 9 -) 


to both side of (| 11 3|>, we have 


Mm • s g - 2 (x) + Mm 

=M m 


■Zmill (x) 
fMLL (x) 


2M1LL (x) + Zm1m(x) ■ Sg_ 2 ( X) 

_ r M hh(x) + r M M(a:) ■ s g - 2 (x) 

which is equivalent to 


Mm • s g _ 2 (x ) + -Mjv 




3 o-2v*; t j'Jm / \ —Mm r\ 

y _r M LL(a;)J 

Substituting ( | 107[ > and ( |104| ) into ( | 11 5[ > to obtain 

I'm • s g - 2 (x) + Mm 


zmi(x) 


=Ml 


M 


0 1 

1 -q M (x) 


zmill{x) 
_tmll{x) 

M \ a ^ 
Mh b(x) 


Hence, we have 


Mr = Mr 


where 


and 


Mr = M] 


M 


0 


a(x) 

b (x\ 


1 


1 -q M {x) 


Mr 


Mr = M m • s g - 2 (x) + M m 

are the return results in Line 10. 


r-MLL(z) 


(114) 

(115) 

(116) 

(117) 

(118) 

(119) 

□ 


G. Proof of Lemma [7] 

Proof. Assume HGCD(a(i),ii(a:),») is valid for i < g — 1, 
i.e., the recursive calls in line 3 (and line 9) are valid. Assume 
i = q. It is clear that the call at line 3 satisfies the condition, 
since an (a;) and bn(x) are the high degree portions of a(x) 
and b(x), respectively. 

For the call at line 9, we first consider the degree of ZMi(a;). 
For simplicity, (Zr,Mh) is denoted as 

m H oo(a:) m H oi(aO 
mmo(x) m mi (x)_ 

Because deg(aL(a:)) < 2 9-2 — 1, deg(6L(£)) < 2 9-2 — 1, and 
deg(^Hi(a:)) < 2 9-2 — 1, from the assumption, we have 

deg(z M i(x)) < max{(2 9 ~ 2 - 1) + 2 9_1 , 

deg(m H io(a:)) + (2 9-2 - 1), (120) 

deg(m H nOr)) + (2 9-2 - 1)}. 

From the assumption, 

deg(TOmoO)) < deg(TO H ii(aO) < deg(a H (aO)-deg(2 H o(aO)- 

As deg(an(a:)) < 2 9_1 —1 and deg(2Ho(20) > 2 9-2 , we have 
deg(m H io(a;)) < deg(m H n(a:)) < 2 9-2 - 1. 

Then ( | 1 20[ ) gives 
deg(2Mi(®)) 

< max{(2 9-2 - 1) + 2 9 " 1 , (2 9-2 - 1) + (2 9 " 2 - 1)} 
=(2 9-2 — l) + 2 9 ” 1 . 

(121) 

Thus, the inequality 

deg(r M (a:)) < deg(z M i(z)) < 2 9_1 + 2 9-2 - 1 

in line 7 is valid. In line 8, zmimOe) and fmm(i) are the 
quotients of dividing tm(x) and zmi(x) by s g - 2 (x), and then 

deg(r M M(a;)) < deg(2 M iM(a;)) < 2 9_1 - 1. (122) 

Further, due to the if condition in line 5, we have 

deg(z M i(a;)) > 2 9_1 

after line 7. This implies 

deg(2 M iM(a;)) > 2 9-2 . (123) 

By ( fl22| and ( fl23} , the requirements of the call in line 9 are 
verified. □ 


M h = 


2 Ho(®) 

Zni(x) 


,M h = 


H. Proof of Lemma [d] 

Proof. Algorithm [5] has three returns at lines 1, 5 and 10. 
Assume that the recursive call HGCD in line 3 and line 10 
outputs the valid results. For line 1, it is clear to see it. For 
line 5, ( |101[ >-( p~04] > show that the degree of 2 mo(®) is at least 

deg(z M o(aO) > deg(zHo) + 2 9_1 . 

By the assumption, deg(zRo) > 2 9-2 and we have 

deg(z M o(aO) > 2 9-2 + 2 9 ^ 1 . (124) 
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By ( fl24| l and the if condition in line 5, the first condition 
holds. 

Let us consider line 10. Z R , V’m and Mm can be denoted 
as 

_ [z/moOe) 

m M oi(x) 
m M n{x)_ 

The degree of z R o(x) is at least 

deg( 2 R 0 (x)) > deg(j/ M o(x)) + 2 9-2 
> 2 9-2 + 2 9 ~ 2 = 2 9_1 . 


M m 


zro(x) 

zri(x) 

IttMOO 

m M ioO 


Further, 

deg( 2 R i(x)) = max{ deg(y M i(x)) + 2 s-2 , 

deg(m M io(z)-MiLL(x)), (125) 
deg(m M n(a;)rMLL(a:))}- 

By assumptions, we have 

deg(m M io(®)) < deg(m M ii(x)) 

< deg(^ M iM(^)) - deg(r/ M o(x)) 

< (2 9_1 - 1) - 2 9-2 = 2 9-2 - 1. 

Then ( |125| > becomes 

deg( 2 R i(at)) 

< max{(2 9-2 - 1) + 2 9-2 , (2 9 " 2 - 1) + (2 9 " 2 - 1)} 

= 2 9 ” 1 - 1 , 

(126) 

as, by assumptions, deg(zMiLL(x)) < 2 9-2 — 1 and 

deg(r MLL (:c)) < 2 9-2 - 1, and deg(y M t(x)) < 2 9-2 - 1 . 

This verifies g. □ 


This verifies 

Let us consider line 10. Zr, 1m Mm, and Mr can be 
denoted as 


^R = 


M m = 


^ro(x) 

ZRl(x) 


,Ym = 


Vmo(x) 

yMi(x)\ ’ 


m M oo(x) 

mMio(x) 


m M oi(x) 

mMii(x) 


■ Mr = 


toroo(x) 

m mo (x) 


m RO i(x) 

m R11 (x) 


The objective is to prove 


deg(?n R ii(x)) < deg(a(x)) - deg( 2 R 0 (x)), (132) 


deg(m Ri o(x)) < deg(TO Ri i(x)), 
deg(m RO i(x)) < deg(mRii(x)), * = 0,1. 

By assumptions, line 9 of the algorithm gives 

deg(m M ii(x)) < deg( 2 M iM(x)) - deg(t/ M oO)), (134) 


deg(m M io( a; )) < deg(m M it(x)), 
deg(m M oi(x)) < deg(m M ii(x)), * = 0 , 1 . 

To verify (| 133|>, (|118[) can be reformed as 


(135) 


Mr 

ITlMOo(x) m M 01 (x) 

m M 10 (x) m M ii(x) 
tomoi(x) 


mmo{x) 

mnoo(x) 


mmi(x) 


- Qm(x) 


m M u(x) 


[m H io(®) m m i(x)] . 


(136) 


Based on assumptions ( |130| l and ( |133| ), it can be seen that the 
degrees of the elements of Mr are determined by the second 
term. Precisely, 


I. Proof of Lemma [9] 

Proof Assume that the recursive call HGCD in line 3 and line 
10 outputs the valid results. For the base case in line 1, it is 
clear that the condition holds. Notice that deg(0) is a special 
case, we can treat deg(0) = 0 in this case. For line 5, the 
objective is to prove 

deg(m H ii(x’)) < deg(a(x)) - deg(z M o(x)), ( 127 ) 

and 

deg(ro H io(x)) < deg(ro H ii(x)), 
deg(m H oi(x)) < deg(m H ii(x)), i = 0 , 1 . 

By assumptions, line 3 of the algorithm gives 

deg(m H n(x)) < deg(a H (x)) - deg( 2 H o(x)), (129) 


and 


deg(m m o(x)) < deg(?n Hi i(x)), 
deg(m H oi(x)) < deg(m H ii(x)), i = 0 , 1 . 

( 130 1 verifies that ( | 128| > is true. Further, ( |101[ )-( p~04] > 
(|129|) can be reformed as 


(130) 
show that 


deg(? 7 i H n(x)) 

< deg(a H (x)s g _i(x)) - deg( 2 H o(x)s ff _i(x)) (131) 
= deg(a(x)) - deg(z M o(x)). 


deg(TO R 00 (x)) = deg(g M (x)) + deg(rtT M oi(x)) + deg(m H io(x)), 

deg(wR 0 i(x)) = deg(g M (x)) + deg(m M ot(x)) + deg(m H n(x)), 

deg(mRio(x)) = deg(g M (x)) + deg(m M n(x)) + deg(m H io(x)), 

deg(mRn(x)) = deg(g M (x)) + deg(TO M n(x)) + deg(m H n(x)). 

(137) 

From the assumptions deg(wMoi(x)) < deg(?7?Mii(x)) and 
deg(?riHio(x)) < deg(mHii(x)), ( |133| l can be verified. 

The verification of ( | 1 32[ > is considered as follows. From 
( |1 1 1| ), ( |134| i can be reformed as 

deg(?n M n(x)) 

< deg(2 M iM(x)sg_ 2 (x)) - deg(t/Mo(x)sg_ 2 (x)) (138) 

= deg( 2 M i(x)) - deg( 2 R 0 (x)). 

( |138| > is summed by ( | 131 1 >, resulting in ( |139| ), and thus ( |132| ) 
is verified. □ 


J. Proof of Lemma 10 


Proof The proof follows mathematical induction. We pick 
T = n /2 as the base case. Then from ( |63) l, u = (u 0 ,u;o) 
has n /2 wos in the high degree part. From ( | 66 | i, v = (vo, Vi) 
is divided into two equal sub-vectors. Then ( |65j ) can be written 
as 

(u 0 ,w 0 ) = IFFTx((v 0 ,vi),m,wo)- 
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In Algorithm [ 2 ] Line 3 computes = [FFT x (v 0 . rn — 
l,wo), and Line 4 computes D^ = IFFT^tvi, m — 1, w ra / 2 ). 
The vector wo is calculated by line 6 , and u 0 is computed by 
line 7. As line 6 only requires pointwise additions, which can 
be written as a vector addition: 


w 0 = ,D (0) + £> (1) 

=IFFT s (v 0 ,m- l,w 0 ) +IFFTx(vi,m- l,w n / 2 ). 


(140) 


Assume ( |67j ) holds at T = S = 2 s , and thus 


w 0 =IFFTx(v 0 ,s,w 0 ) + IFFTx(v!,s, w s ) + ... 

+ IFFT^K/g.LS, UJ n -s). 


(141) 


When T = S/2 = 2 s 1 , ( | 141 [ > becomes 


( u n/(S/2)-2,Wo) 

=IFFTx(v 0 , s, w 0 ) + IFFTx(vi, s, wg) + ... (142) 

+ IFFTj(v ra /s_ 1 .s, w n _g). 

We can extract the computations regarding wo in < n~42| i. 
Similarly, this decomposes each s-point IFFT into two (s/2)- 
point IFFTs, resulting in 


w 0 =IFFTx(v 0 , s - 1, w 0 ) + IFFTx(vi, s - 1, w S / 2 ) + ... 
+ IFFTj(v„/s_ 1 , s — 1 , w n _g/ 2 ), 

(143) 

This completes the proof. □ 


deg(m M n(z)) + deg(m H ii(z)) < deg( 2 M i(a:)) - deg(z R0 (x)) + deg(a(x)) - deg^o^’)) 
deg(m M n(a:)) + deg(m H n(aO) + deg(z M o(aO) - deg(z M t(a:)) < deg(a(z)) - deg(z R0 (a;)) 

=> deg(m M ii(£)) + deg(m H n(a:)) + deg(g M (z)) < deg(a(x)) - deg(z R0 (a;)) (By ( |105| >) 

=> deg(m R n(a;)) < deg(a(at)) - deg(z R0 (at)) (By ( fl37| ), 


( 139 ) 
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